From HEAD:

Fix double-free in TLS server name extensions which could lead to a remote
crash found by Codenomicon TLS test suite (CVE-2008-0891)

Reviewed by: openssl-security@openssl.org

Obtained from: jorton@redhat.com

diff --git a/CHANGES b/CHANGES
index 63fa6aa972ff9b837eff771cdb44032c7a146f92..5d6c7a8d0a529b83483110536346fc5c6a8cad65 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -690,6 +690,10 @@
 
  Changes between 0.9.8g and 0.9.8h  [xx XXX xxxx]
 
+  *) Fix double free in TLS server name extensions which could lead to
+     a remote crash found by Codenomicon TLS test suite (CVE-2008-0891) 
+     [Joe Orton]
+
   *) Clear error queue in SSL_CTX_use_certificate_chain_file()
 
      Clear the error queue to ensure that error entries left from

diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c
index f3c5a16e481ffb1c34465f5a83d3e6d43979f733..bde52b126b3d79426048d750e0db9d21227a40af 100644 (file)
--- a/ssl/t1_lib.c
+++ b/ssl/t1_lib.c
@@ -637,6 +637,7 @@ int ssl_parse_clienthello_tlsext(SSL *s, unsigned char **p, unsigned char *d, in
                                                s->session->tlsext_hostname[len]='\0';
                                                if (strlen(s->session->tlsext_hostname) != len) {
                                                        OPENSSL_free(s->session->tlsext_hostname);
+                                                       s->session->tlsext_hostname = NULL;
                                                        *al = TLS1_AD_UNRECOGNIZED_NAME;
                                                        return 0;
                                                }